-
Dependency tree visualization — See every GitHub Action your workflows depend on, including transitive dependencies from composite actions, rendered as a color-coded tree in your terminal.
-
Recursive composite action resolution — Automatically fetches
action.ymlfrom GitHub for each action and follows composite action chains to build the full dependency graph. -
Risk assessment — Every dependency is scored based on three factors: mutable tags (not SHA-pinned), unverified creators (not in the known-good list), and high transitive depth. Risk levels: LOW, MEDIUM, HIGH, CRITICAL.
-
Multiple export formats — Export your dependency graph as Mermaid (for GitHub PR comments), DOT/Graphviz (for diagram rendering), or JSON (for programmatic analysis).
-
Diff mode — Compare two workflow files side-by-side to see which action dependencies were added or removed. Useful for reviewing PRs that modify CI workflows.
-
Audit command — Combined tree view plus risk summary showing counts at each risk level across all your workflow dependencies.
-
Local caching — GitHub API responses are cached in a local SQLite database with 24-hour TTL, so repeated runs don't burn through your rate limit.
| Command | What it does |
|---|---|
actions-graph tree |
Display dependency tree in terminal |
actions-graph export --format mermaid |
Export as Mermaid flowchart |
actions-graph export --format dot |
Export as Graphviz DOT |
actions-graph export --format json |
Export as JSON |
actions-graph diff a.yml b.yml |
Compare two workflow files |
actions-graph audit |
Tree + risk summary |
- Gracefully handle malformed
action.ymlfiles instead of crashing - Properly clean up HTTP connections and cache on errors
- Avoid resource leaks when reading workflow files